[ https://issues.apache.org/jira/browse/SLING-10676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17388852#comment-17388852 ]
Bertrand Delacretaz commented on SLING-10676: --------------------------------------------- Turns out adding these files was not needed, the default security policy applies to all GitHub repos from the apache organization that don't have one. For example https://github.com/apache/incubator-ponymail-foal/security/policy displays https://github.com/apache/.github/blob/main/.github/SECURITY.md even though there's no SECURITY.md at https://github.com/apache/incubator-ponymail-foal Anyway, with the one I added we have sling-specific security information, that doesn't hurt. > Add a SECURITY.MD file to all our Git repositories > -------------------------------------------------- > > Key: SLING-10676 > URL: https://issues.apache.org/jira/browse/SLING-10676 > Project: Sling > Issue Type: Improvement > Components: Documentation > Reporter: Bertrand Delacretaz > Assignee: Bertrand Delacretaz > Priority: Minor > > We should add > [https://github.com/apache/.github/blob/main/.github/SECURITY.md] to all our > repositories (but linking to [1]), as per > [https://twitter.com/iamamoose/status/1417104695626240001:] > {quote}All Apache projects follow the default ASF security policy; but not > all have a github SECURITY․md file, and they get penalised, i.e. with lower > #openssf scorecard scores > ([http://metrics.openssf.org|http://metrics.openssf.org/]) > {quote} > Tentatively assigning to myself but if someone beats me to it I'd be happy! > [1] https://sling.apache.org/project-information/security.html -- This message was sent by Atlassian Jira (v8.3.4#803005)